CVE-2026-33435
Published: 15 April 2026
Summary
CVE-2026-33435 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Weblate Weblate. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly mitigating this CVE by applying the patch released in Weblate 5.17 that filters Git and Mercurial configuration files.
AC-6 enforces least privilege, limiting project creation and backup access to only necessary users as recommended in the advisory, preventing high-privilege attackers from exploiting the feature.
SI-10 mandates information input validation at input points like the backup process, directly addressing the lack of filtering on Git and Mercurial config files that enables path traversal and code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Weblate web app backup feature allows authenticated high-priv users (project creators) to upload malicious Git/Mercurial configs leading to RCE; directly maps to T1190 for exploiting the exposed app and T1068 for escalating from app-level access to full server code execution (scope change per CVSS).
NVD Description
Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17.…
more
If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects.
Deeper analysisAI
CVE-2026-33435 affects Weblate, a web-based localization tool, in versions prior to 5.17. The vulnerability arises because the project backup feature fails to filter Git and Mercurial configuration files, potentially allowing remote code execution under certain circumstances. It is classified under CWE-23 (Relative Path Traversal), CWE-94 (Improper Control of Generation of Code), and CWE-434 (Unrestricted Upload of File with Dangerous Type), with a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to network accessibility, changed scope, and full impact on confidentiality, integrity, and availability.
An attacker requires high privileges, specifically the ability to create projects, to access the project backup functionality and exploit this issue. Exploitation involves crafting malicious Git or Mercurial configuration files that, when processed during backup, lead to remote code execution on the server. The high attack complexity (AC:H) suggests it demands specific knowledge of the tools and configurations, with no user interaction required beyond authentication.
The issue is addressed in Weblate version 5.17. For those unable to update immediately, the advisory recommends restricting access to the project backup feature, which is limited to users able to create projects, thereby reducing the vulnerability's scope. Relevant details are available in the GitHub security advisory (GHSA-558g-h753-6m33) and the associated pull request (PR #18549).
Details
- CWE(s)